Analytics Story: Linux Privilege Escalation

Date: 2021-12-17 ID: b9879c24-670a-44c0-895e-98cdb7d0e848 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.

Why it matters

Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Linux Add Files In Known Crontab Directories	Cron, Scheduled Task/Job	Anomaly
Linux Add User Account	Local Account, Create Account	Hunting
Linux Adding Crontab Using List Parameter	Cron, Scheduled Task/Job	Hunting
Linux apt-get Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux APT Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux At Allow Config File Creation	Cron, Scheduled Task/Job	Anomaly
Linux At Application Execution	At, Scheduled Task/Job	Anomaly
Linux Auditd Add User Account	Local Account, Create Account	Anomaly
Linux Auditd Add User Account Type	Create Account, Local Account	Anomaly
Linux Auditd At Application Execution	At, Scheduled Task/Job	Anomaly
Linux Auditd Auditd Service Stop	Service Stop	Anomaly
Linux Auditd Base64 Decode Files	Deobfuscate/Decode Files or Information	Anomaly
Linux Auditd Change File Owner To Root	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
Linux Auditd Data Transfer Size Limits Via Split	Data Transfer Size Limits	Anomaly
Linux Auditd Data Transfer Size Limits Via Split Syscall	Data Transfer Size Limits	Anomaly
Linux Auditd Database File And Directory Discovery	File and Directory Discovery	Anomaly
Linux Auditd Disable Or Modify System Firewall	Disable or Modify System Firewall, Impair Defenses	Anomaly
Linux Auditd Doas Conf File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	TTP
Linux Auditd Doas Tool Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Auditd Edit Cron Table Parameter	Cron, Scheduled Task/Job	TTP
Linux Auditd File And Directory Discovery	File and Directory Discovery	Anomaly
Linux Auditd File Permission Modification Via Chmod	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	Anomaly
Linux Auditd File Permissions Modification Via Chattr	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
Linux Auditd Find Credentials From Password Managers	Password Managers, Credentials from Password Stores	TTP
Linux Auditd Find Credentials From Password Stores	Password Managers, Credentials from Password Stores	TTP
Linux Auditd Find Private Keys	Private Keys, Unsecured Credentials	TTP
Linux Auditd Find Ssh Private Keys	Private Keys, Unsecured Credentials	Anomaly
Linux Auditd Hidden Files And Directories Creation	File and Directory Discovery	TTP
Linux Auditd Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Auditd Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Auditd Kernel Module Using Rmmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	TTP
Linux Auditd Nopasswd Entry In Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Auditd Osquery Service Stop	Service Stop	TTP
Linux Auditd Possible Access Or Modification Of Sshd Config File	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Auditd Possible Access To Credential Files	/etc/passwd and /etc/shadow, OS Credential Dumping	Anomaly
Linux Auditd Possible Access To Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux Auditd Preload Hijack Library Calls	Dynamic Linker Hijacking, Hijack Execution Flow	TTP
Linux Auditd Preload Hijack Via Preload File	Dynamic Linker Hijacking, Hijack Execution Flow	TTP
Linux Auditd Service Restarted	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Auditd Service Started	Service Execution, System Services	TTP
Linux Auditd Setuid Using Chmod Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Auditd Setuid Using Setcap Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	TTP
Linux Auditd Shred Overwrite Command	Data Destruction	TTP
Linux Auditd Sudo Or Su Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Auditd Sysmon Service Stop	Service Stop	TTP
Linux Auditd System Network Configuration Discovery	System Network Configuration Discovery	Anomaly
Linux Auditd Unix Shell Configuration Modification	Unix Shell Configuration Modification, Event Triggered Execution	TTP
Linux Auditd Unload Module Via Modprobe	Kernel Modules and Extensions, Boot or Logon Autostart Execution	TTP
Linux Auditd Virtual Disk File And Directory Discovery	File and Directory Discovery	Anomaly
Linux Auditd Whoami User Discovery	System Owner/User Discovery	Anomaly
Linux AWK Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Busybox Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c89 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c99 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Change File Owner To Root	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	Anomaly
Linux Common Process For Elevation Control	Setuid and Setgid, Abuse Elevation Control Mechanism	Hunting
Linux Composer Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Cpulimit Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Csvtool Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Doas Conf File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Doas Tool Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Docker Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Edit Cron Table Parameter	Cron, Scheduled Task/Job	Hunting
Linux Emacs Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux File Created In Kernel Driver Directory	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux File Creation In Init Boot Directory	RC Scripts, Boot or Logon Initialization Scripts	Anomaly
Linux File Creation In Profile Directory	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Find Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GDB Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Gem Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GNU Awk Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Make Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux MySQL Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Node Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux NOPASSWD Entry In Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Octave Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux OpenVPN Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux PHP Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux pkexec Privilege Escalation	Exploitation for Privilege Escalation	TTP
Linux Possible Access Or Modification Of sshd Config File	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow, OS Credential Dumping	Anomaly
Linux Possible Access To Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Possible Append Command To At Allow Config File	At, Scheduled Task/Job	Anomaly
Linux Possible Append Command To Profile Config File	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux Possible Cronjob Modification With Editor	Cron, Scheduled Task/Job	Hunting
Linux Possible Ssh Key File Creation	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Preload Hijack Library Calls	Dynamic Linker Hijacking, Hijack Execution Flow	TTP
Linux Puppet Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux RPM Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Ruby Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Service File Created In Systemd Directory	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Restarted	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Started Or Enabled	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Setuid Using Chmod Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Setuid Using Setcap Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Shred Overwrite Command	Data Destruction	TTP
Linux Sqlite3 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Sudo OR Su Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Hunting
Linux Sudoers Tmp File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Visudo Utility Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Linux Auditd Add User	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Execve	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Path	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Proctitle	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Service Stop	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Syscall	Linux	`linux:audit`	`/var/log/audit/audit.log`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Sysmon for Linux EventID 11	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`

References

https://attack.mitre.org/tactics/TA0004/

Source: GitHub | Version: 1